Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confusing messaging when certificate secret name already exist #7002

Open
jjshanks opened this issue May 10, 2024 · 1 comment
Open

Confusing messaging when certificate secret name already exist #7002

jjshanks opened this issue May 10, 2024 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@jjshanks
Copy link

Describe the bug:
When doing a describe on a certificate it says unable to decode PEM block

The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block

Expected behaviour:

A message about how issuer-ref and secretName can't be the same secret. Or something more explicit about what is breaking.

Steps to reproduce the bug:

 helm repo add jetstack https://charts.jetstack.io --force-update
 helm repo update
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
 helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
   --version v1.14.5
 kubectl create namespace linkerd
 step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure &&
  kubectl create secret tls \
    linkerd-trust-anchor \
    --cert=ca.crt \
    --key=ca.key \
    --namespace=linkerd
	
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
EOF

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-trust-anchor
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth
EOF

Anything else we need to know?:

Environment details::

  • Kubernetes version: 1.30 / 1.29
  • Cloud-provider/provisioner: minikube / EKS
  • cert-manager version: 1.14.5
  • Install method: helm

/kind bug
@cert-manager-prow cert-manager-prow bot added the kind/bug Categorizes issue or PR as related to a bug. label May 10, 2024
@hawksight
Copy link
Member

Slack conversation: https://kubernetes.slack.com/archives/C4NV3DWUC/p1715054329904869

This issue is in reference to the article from LinkerD: https://linkerd.io/2.15/tasks/automatically-rotating-control-plane-tls-credentials/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jjshanks @hawksight